Professional Web Applications Themes

Cutting down on ssh breakin attempts - FreeBSD

Hi, I run a webmail server for a small company, which is (of course) running FreeBSD 5-stable. I get about 50-100 failed loging attempts via ssh on a daily basis. Occasionally, these show up in my daily security digest with messages like: reverse mapping checking getaddrinfo for h169-210-68-8.a dcast.com.tw failed - POSSIBLE BREAKIN ATTEMPT! But mostly it's stuff like Illegal user postgres from 210.68.8.169 What's the best way to cut down on these attempts? I thought about adding a blacklist to my pf.conf rules for the pf firewall. Any thoughts would be greatly appreciated! Kyle...

  1. #1

    Default Cutting down on ssh breakin attempts

    Hi,

    I run a webmail server for a small company, which
    is (of course) running FreeBSD 5-stable. I get about
    50-100 failed loging attempts via ssh on a daily basis.

    Occasionally, these show up in my daily security digest
    with messages like:

    reverse mapping checking getaddrinfo for h169-210-68-8.a
    dcast.com.tw failed - POSSIBLE BREAKIN ATTEMPT!

    But mostly it's stuff like

    Illegal user postgres from 210.68.8.169

    What's the best way to cut down on these attempts?
    I thought about adding a blacklist to my pf.conf rules
    for the pf firewall.

    Any thoughts would be greatly appreciated!
    Kyle
    Kyle Guest

  2. #2

    Default Re: Cutting down on ssh breakin attempts

    On Monday 14 March 2005 07:04, Kyle Jensen wrote: 

    Maybe this is an obvious question, but do you need world access to
    ssh?

    --
    Thanks,

    Josh Paetzel
    Josh Guest

  3. #3

    Default Re: Cutting down on ssh breakin attempts



    Kyle Jensen wrote:
     
    Four suggestions:
    1) If you know where your valid ssh logins are going to come from filter
    out everything else.
    2) If you haven't already done so switch to public key authentication on
    ssh and disable password logins (doesn't stop the attempts but gives
    peace of mind that they are not going to work)
    3) Move your sshd to a non standard port (will stop the scripts and
    scanners but won't make any difference to a good blackhat)
    4) Implement a port knocking strategy (to much hassle in my view but YMMV)
    John Guest

  4. #4

    Default RE: Cutting down on ssh breakin attempts

    org wrote: 
     
    > Four suggestions:
    > 1) If you know where your valid ssh logins are going to come[/ref]

    One suggestion:

    Don't sweat the small stuff.

    Your using ssh precisely because the ssh daemon is hardened against
    attacks, right?

    Do you put plastic wrap over your scotchguarded sofas?

    Ted

    Ted Guest

Similar Threads

  1. Detect Login Attempts
    By stallionmvp in forum Coldfusion - Advanced Techniques
    Replies: 1
    Last Post: April 13th, 11:08 AM
  2. How to disable login after too many attempts
    By Carol in forum Linux / Unix Administration
    Replies: 10
    Last Post: December 6th, 09:31 PM
  3. fail login attempts
    By Jander in forum Linux Setup, Configuration & Administration
    Replies: 0
    Last Post: July 4th, 02:06 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139